Our interactive explorer for cybersecurity vulnerability trends, built on Common Vulnerabilities and Exposures (CVE) reported to cve.org since 2022.
Data: CVE records come from the CVE Program’s cvelistV5 repository. We process every published record from 2020 onward. The dates visualized on our explorer represent vulnerability publication dates, not discovery dates.
Severity: CVE severities are based on the Common Vulnerability Scoring System (CVSS). CVSS assigns a score between 0 and 10, according to factors like the attack complexity, required privileges, the scope of the vulnerability, and more. These numeric scores are then assigned to severity categories as follows:
We default to using a CNA’s own assessment first, and fill in gaps with assessments from third parties (known as Authorized Data Publishers, or ADPs). If multiple CVSS versions are given, we default to v4.0, with fallback to v3.1, then v3.0. Records without one of these CVSS scores are counted as “Unknown.”
Reporting organizations (CNAs): Every CVE record is assigned by a CNA (CVE Numbering Authority) — typically the vendor of the affected product or a third-party security research organization. We count CVEs across all CNAs, but to keep the underlying data manageable we only break down individual counts for notable CNAs, with non-notable CNAs grouped into an “Other” category.
We consider a CNA notable if it is a vendor of widely-deployed software or hardware, or a major open-source project or foundation, and it maintains an active CVE program (we require at least 50 CVEs published since 2020). We include the following organizations in our list of notable CNAs:
Reporting practices vary substantially across organizations, creating noise. For instance, Linux became a CNA in February 2024 and subsequently began assigning CVEs for thousands of backported bug fixes, leading to a high number of reports in 2024 and 2025.
Individual records: Alongside the aggregates, we surface individual High and Critical severity CVEs from notable CNAs, each linking back to its official CVE record. See the “Table” view in the explorer above, or download our data at the link below.
Our explorer visualizes the announcement date of Claude Mythos Preview (April 7, 2026), which coincided with a large jump in the number of new vulnerability reports. Anthropic claimed that Claude Mythos was capable of autonomous vulnerability discovery, and gave trusted partners access to the model in order to harden their software. Mythos Preview was used to find bugs in software before the April 7th announcement, which may have contributed to an increased number of reports in the month before the announcement. As of May 22nd, Anthropic claimed that Mythos Preview had been used to identify more than ten thousand high- or critical-severity bugs (not all of which had been publicly reported). Additionally, OpenAI has claimed that GPT-5.5 (released April 23) and GPT-5.5-cyber (May 7) are also capable of advanced cybersecurity tasks, and launched a similar trusted-partner program on May 7th, 2026.
Epoch AI’s data is free to use, distribute, and reproduce provided the source and authors are credited under the Creative Commons Attribution license.
Have a question? Noticed something wrong? Let us know.
Explore trends in software and hardware vulnerabilities (CVEs) since 2020 — how counts and severity have changed over time, broken down by the organizations that report them.